From ae898ff13b4782239a152b43125aa1fc0b80ba3d Mon Sep 17 00:00:00 2001
From: Mihai Moldovan <ionic@ionic.de>
Date: Mon, 16 Feb 2015 09:35:47 +0100
Subject: CVE security review [1/2].

* CVE security review [1/2]:
  - Update 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch.
    Use xfree() instead of free() in nx-libs.
  - Update 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch.
    Apply correctly on nx-libs 3.6.x.
  - Update 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch.
    Human-readable version of "1 MB".
---
 ...10-unvalidated-length-fields-in-fs_read_q.patch | 34 ++++++++++++----------
 1 file changed, 19 insertions(+), 15 deletions(-)

(limited to 'debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch')

diff --git a/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch b/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
index 96b7b9749..9d0f3f875 100644
--- a/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
+++ b/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
@@ -1,4 +1,4 @@
-From c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7 Mon Sep 17 00:00:00 2001
+From e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 Mon Sep 17 00:00:00 2001
 From: Mike DePaulo <mikedep333@gmail.com>
 Date: Sun, 8 Feb 2015 22:08:09 -0500
 Subject: [PATCH 11/40] CVE-2014-0210: unvalidated length fields in
@@ -9,13 +9,15 @@ fs_read_query_info() parses a reply from the font server.  The reply
 contains embedded length fields, none of which are validated.  This
 can cause out of bound reads in either fs_read_query_info() or in
 _fs_convert_props() which it calls to parse the fsPropInfo in the reply.
+
+v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan)
 ---
  nx-X11/lib/font/fc/fsconvert.c | 19 ++++++++++++++-----
- nx-X11/lib/font/fc/fserve.c    | 40 ++++++++++++++++++++++++++++++++++++++--
- 2 files changed, 52 insertions(+), 7 deletions(-)
+ nx-X11/lib/font/fc/fserve.c    | 43 +++++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 54 insertions(+), 8 deletions(-)
 
 diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
-index 9ff54f5..d41e0b8 100644
+index 9a5e194..afa2c32 100644
 --- a/nx-X11/lib/font/fc/fsconvert.c
 +++ b/nx-X11/lib/font/fc/fsconvert.c
 @@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
@@ -56,18 +58,18 @@ index 9ff54f5..d41e0b8 100644
  	}
  	off_adr += SIZEOF(fsPropOffset);
 diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
-index 7762653..2a6f6c9 100644
+index 9e652d2..75cabdd 100644
 --- a/nx-X11/lib/font/fc/fserve.c
 +++ b/nx-X11/lib/font/fc/fserve.c
-@@ -865,6 +865,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -866,6 +866,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
      FSFpePtr		conn = (FSFpePtr) fpe->private;
      fsQueryXInfoReply	*rep;
      char		*buf;
-+    long		bufleft; /* length of reply left to use */
++    long		bufleft = 0; /* length of reply left to use */
      fsPropInfo		*pi;
      fsPropOffset	*po;
      pointer		pd;
-@@ -895,7 +896,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -896,7 +897,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
  
      buf = (char *) rep;
      buf += SIZEOF(fsQueryXInfoReply);
@@ -79,7 +81,7 @@ index 7762653..2a6f6c9 100644
      /* move the data over */
      fsUnpack_XFontInfoHeader(rep, pInfo);
      
-@@ -903,19 +907,51 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -904,19 +908,52 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
      _fs_init_fontinfo(conn, pInfo);
  
      /* Compute offsets into the reply */
@@ -94,22 +96,24 @@ index 7762653..2a6f6c9 100644
 +    }
      pi = (fsPropInfo *) buf;
      buf += SIZEOF (fsPropInfo);
-+    bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
-     
-+    if (bufleft < pi->data_len)
+-    
++    bufleft -= SIZEOF (fsPropInfo);
++
++    if ((bufleft / SIZEOF (fsPropOffset)) < pi->num_offsets)
 +    {
 +	ret = -1;
 +#ifdef DEBUG
 +	fprintf(stderr,
-+		"fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
-+		bufleft, pi->data_len);
++		"fsQueryXInfo: (bufleft / SIZEOF (fsPropOffset)) (%ld) < pi->num_offsets (%d)\n",
++		bufleft / SIZEOF (fsPropOffset), pi->num_offsets);
 +#endif
 +	goto bail;
 +    }
      po = (fsPropOffset *) buf;
      buf += pi->num_offsets * SIZEOF(fsPropOffset);
-+    bufleft -= pi->data_len;
++    bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
  
++    if (bufleft < pi->data_len)
 +    {
 +	ret = -1;
 +#ifdef DEBUG
-- 
cgit v1.2.3